CryptoWall 4.0 Spreading via Angler Exploit Kit

CryptoWall 4.0, the latest variant of one of the most active ransomware threats, has been recently added to the Angler Exploit Kit (EK), Bitdefender researchers have discovered.

The CryptoWall ransomware, which encrypts files on infected devices and demands users to pay a ransom to in order to regain access to them, emerged a few years ago and has evolved significantly ever since, reaching version 4.0 in October 2015. In early November, Bitdefender revealed that the malware started to encrypt filenames too, preventing users from even recognizing their files.

CryptoWall 4.0 pretends to be testing AV solutions to protect users’ data, while it actually encrypting the data. The malware also includes a redesigned ransom note, which tells victims that the “CryptoWall Project” is not malicious, though it still requires them to pay the ransom to decrypt their files, as well as an advanced malware dropper mechanisms and improved communication capabilities.

At the end of November, just one month after the new malware variant emerged, the masterminds behind the Nuclear EK added CryptoWall 4.0 to their malicious payloads. The EK initially started delivering the CryptoWall 3.0 variant, which was estimated in October to have generated over $325 million in profits. Soon after, the cybercriminals switched to the 4.0 version just a few days later.

According to a recent blog post from Bitdefender , CyptoWall 4.0 is now being delivered by the Angler EK as well, one of the most used exploits kits out there.

Angler EK was spotted for the first time back in 2013, but became more prevalent in the second half of 2014, when it had already included unique obfuscation capabilities, antivirus detection, encrypted payload and fileless infection, while also being able to deliver a broad range of payloads, including banking Trojans, rootkits, ransomware, and backdoor Trojans.

In October 2015, Cisco estimated that the perpetrators behind Angler were using 147 proxy servers to serve exploits to roughly 9,000 unique IP addresses each day. With a success infection rate of roughly 40 percent, the malware supposedly compromised about 529,000 systems per month, with around 62 percent of the infections said to deliver ransomware.

Bitdefender researchers suggest that cybercriminals are adapting to the current market challenges, and that the malware-as-a-service business is expected to reach the same complexity and scale as a legitimate business. Infoblox Inc.’s DNS Threat Index, released in November, revealed a similar trend, warning that exploit kit infrastructure activity jumped 75 percent in Q3 2015 when compared to the same period a year before.